Encryption at rest in Amazon QLDB

Important

End of support notice: Existing customers will be able to use Amazon QLDB until end of support on 07/31/2025. For more details, see Migrate an Amazon QLDB Ledger to Amazon Aurora PostgreSQL.

All data stored in Amazon QLDB is fully encrypted at rest by default. QLDB encryption at rest provides enhanced security by encrypting all ledger data at rest using encryption keys in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can build security-sensitive ledger applications that meet strict encryption compliance and regulatory requirements.

Encryption at rest integrates with AWS KMS for managing the encryption key that is used to protect your QLDB ledgers. For more information about AWS KMS, see AWS Key Management Service concepts in the AWS Key Management Service Developer Guide.

In QLDB, you can specify the type of AWS KMS key for each ledger resource. When you create a new ledger or update an existing ledger, you can choose one of the following types of KMS keys to protect your ledger data:

AWS owned key – The default encryption type. The key is owned by QLDB (no additional charge).
Customer managed key – The key is stored in your AWS account and is created, owned, and managed by you. You have full control over the key (AWS KMS charges apply).

Note

Amazon QLDB launched support for customer managed AWS KMS keys on July 22, 2021. Any ledgers that were created before the launch are protected by AWS owned keys by default, but are currently not eligible for encryption at rest using customer managed keys.

You can view the creation time of your ledger on the QLDB console.

When you access a ledger, QLDB decrypts the data transparently. You can switch between the AWS owned key and the customer managed key at any given time. You don't have to change any code or applications to use or manage encrypted data.

You can specify an encryption key when you create a new ledger or change the encryption key on an existing ledger by using the AWS Management Console, the QLDB API, or the AWS Command Line Interface (AWS CLI). For more information, see Using customer managed keys in Amazon QLDB.

Note

By default, Amazon QLDB automatically enables encryption at rest using AWS owned keys at no additional charge. However, AWS KMS charges apply for using a customer managed key. For information about pricing, see AWS Key Management Service pricing.

QLDB encryption at rest is available in all AWS Regions where QLDB is available.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

How it works